kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

TCP CRD: Enable multiple backends on the same frontend port by allowing backend-only TCP objects

Open cfabriziohivemq opened this issue 7 months ago • 2 comments

This is more of a feature request than an issue. I would like the ability to create a backend using the TCP CRD without requiring a frontend. This would allow a scenario where one listener on a specific port can serve multiple backends.

Example Consider a broker traffic serving the MQTTS port 8883

apiVersion: ingress.v1.haproxy.org/v1
kind: TCP
metadata:
  name: broker01-service-tcp
  annotations:
    ingress.class: haproxy
spec:
  - name: broker01-tcp
    frontend:
      name: broker01-frontend
      tcplog: true
      clitcpka: enabled
      tcp_request_rule_list:
        - type: inspect-delay
          timeout: 5000
          index: 0
        - cond: if
          cond_test: "{ req_ssl_hello_type 1 }"
          action: accept
          type: content
          index: 1
      backend_switching_rule_list:
        - cond: if
          cond_test: "{ req_ssl_sni -i broker01.example.com }"
          index: 0
          name: default_broker-mqtt_broker-mqtts-0
      binds:
        - name: mqtts
          port: 8883
          accept_proxy: true
    service:
      name: nginx-reject-all-service
      port: 30000
    services:
      - name: broker-mqtt
        port: 8883

This configuration generates the following HAProxy configuration:

frontend tcpcr_default_broker01-frontend
  mode tcp
  bind :8883 name mqtts accept-proxy
  option tcplog
  option clitcpka
  tcp-request inspect-delay 5000
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend default_broker-mqtt_broker-mqtts-0 if { req_ssl_sni -i broker01.example.com }
  default_backend default_nginx-reject-all-service_broker-mqtts-0


backend default_broker-mqtt_broker-mqtts-0
  mode tcp
  balance roundrobin
  option srvtcpka
  option httpchk
  http-check send meth GET uri /api/v1/health/readiness
  default-server check port 9090
  server SRV_1 100.64.100.72:8883 enabled

As noted, the frontend listens on port 8883. Therefore I cannot create any additional TCP objects that bind to the same port. Is it possible to omit the frontend part of the CRD and only create the backend? Is there a workaround to achieve this using the current CRD?

cfabriziohivemq avatar May 07 '25 09:05 cfabriziohivemq

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 06 '25 09:06 stale[bot]

As a workaround I've done this by creating new frontends on a random port. But that's not a good solution. Ideally, the TCP CRD would let you define frontend/backend resources independently.

jsturmics avatar Jun 19 '25 19:06 jsturmics

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 20 '25 10:07 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 19 '25 02:09 stale[bot]